Release Notes

This hotfix should be applied to the following versions of Plone

Plone 4.x, but see below for more information on 4.3.9 and higher

Any older version of Plone, are officially unsupported

Plone 5 is NOT vulnerable

Plone 4.3.9 and higher

The hotfix is partially included in Plone 4.3.9. The biggest part that is missing by default is plone.protect version 3.x. This is the part that is doing the actual automatic csrf protection. By default we stick to plone.protect version 2.x. The reason is that this can be overly aggressive, as explained in the advisory linked above. So we want inclusion of this hotfix to remain an explicit decision made by you.

The plone4.csrffixes package can still be used on Plone 4.3.9 and higher, but the fixes that it contains to avoid most of the aggressiveness have been incorporated in the core packages of Plone 4.3.9. To use the automatic csrf protection, you only need to update plone.protect to the latest version in the 3.x range.

So to include the extra protection on Plone 4.3.9 and higher, which is still recommended, open the buildout.cfg file in your editor, scroll down to the [versions] section of the buildout and add the following::

[versions]... plone.protect = 3.0.18

But with this version you may still notice Unauthorized errors in some javascript requests, especially when using the TinyMCE visual editor. This means you still need to add plone4.csrffixes after all:

[buildout]
...
eggs =
...
plone4.csrffixes

Installation instructions

The procedure for installing Hotfix 20151006 differs from other hotfix releases as it requires you to run buildout.

Backup First!

It is prudent to backup all of your data and installation files before installing any Plone add-on, including this hotfix. If you already have a solid Plone backup routine in place, then you can skip this step and proceed.

If you don't already have a backup of your Plone site, the simplest way to back up your Plone instance is to simply copy your entire Zope instance folder or buildout folder to a secure location.

Installing with Buildout

1) Find your buildout.cfg file, typically located in the "zinstance" or "zeocluster" subdirectory of your Plone installation directory. 2) Open your buildout.cfg file in your favorite text editor. 3) Scroll down to the "eggs" section of the buildout and add plone4.csrffixes, e.g.

[buildout]
...
eggs =
...
plone4.csrffixes

4) scroll down to the [versions] section of the buildout and add the following::

On versions of Plone 4.0 and 4.1, you will also likely need to add a pin for lxml:

[versions]...lxml = 2.3.6

Additional versions you might have better luck with: to prevent some write on read errors that might cause false positives with the auto csrf protection, these version pins have been reported to work upgrading to:

Stay up to date

The text and illustrations in this website are licensed by the Plone Foundation under a Creative Commons Attribution-ShareAlike 4.0 International license.

Plone and the Plone® logo are registered trademarks of the Plone Foundation, registered in the United States and other countries. For guidelines on the permitted uses of the Plone trademarks, see https://plone.org/foundation/logo